From 1094e4043d7b26eb1265c0d41e6c992208600d1c Mon Sep 17 00:00:00 2001 From: Joachim Lusiardi Date: Tue, 17 May 2016 07:45:05 +0200 Subject: [PATCH 1/3] reformat to confirm PEPs --- nginx_proxy.py | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/nginx_proxy.py b/nginx_proxy.py index 5c95ca3..d64d127 100755 --- a/nginx_proxy.py +++ b/nginx_proxy.py @@ -8,8 +8,8 @@ import signal import os import logging -target_path="/tmp/nginx/" -pid_file="/var/run/nginx.pid" +target_path = "/tmp/nginx/" +pid_file = "/var/run/nginx.pid" non_location_template = """# proxy for container '$containername' server { listen $listen; @@ -25,7 +25,7 @@ server { } """ -location_template="""# proxy for container '$containername' +location_template = """# proxy for container '$containername' server { listen $listen; server_name $names; @@ -43,21 +43,24 @@ server { } """ + def print_json(data): """Prints the given value in JSON to stdout. Use this for debugging only""" print(json.dumps(data, sort_keys=True, indent=4)) + def analyse_env_vars(inspect_data): """Extracts the environment variables from the given result of an 'inspect container' call.""" env_data = {} - if not 'Env' in inspect_data['Config'] or inspect_data['Config']['Env'] is None: + if 'Env' not in inspect_data['Config'] or inspect_data['Config']['Env'] is None: return env_data for env_var in inspect_data['Config']['Env']: t = env_var.split("=") env_data[t[0]] = t[1] return env_data + def analyse_proxy_data(data): """Extracts the data for the proxy configuration (envrionment variable 'PROXY_DATA' and converts it to a dictionary.""" @@ -67,20 +70,24 @@ def analyse_proxy_data(data): proxy_data[t[0]] = t[1] return proxy_data + def extract_ip(inspect_data): """extracts the container's ip from the given inspect data""" return inspect_data['NetworkSettings']['IPAddress'] + def extract_name(inspect_data): """extracts the container's name from the given inspect data""" return inspect_data['Name'] -def get_if_available(dict, key, defValue): - if key in dict: - return dict[key] + +def get_if_available(dictionary, key, defValue): + if key in dictionary: + return dictionary[key] else: return defValue + def handle_container(id): """This function take a container's id and collects all data required to create a proper proxy configuration. The configuration is then @@ -111,15 +118,18 @@ def handle_container(id): else: file.write(Template(location_template).substitute(substitutes)) + def reload_nginx_configuration(): logging.info('HUPing nginx') os.kill(pid, signal.SIGHUP) + def get_pid(): """This function reads the process id from the given file.""" with open(pid_file, 'r') as file: return int(file.read()) + def get_docker_id(): """This function extracts the container's id from /proc/self/cgroup.""" id = '' @@ -138,6 +148,7 @@ def get_docker_id(): logging.error('could not determine container\'s id!') return id + def get_listen_ips(): inspect_data = client.inspect_container(get_docker_id()) mappings = inspect_data['NetworkSettings']['Ports']['80/tcp'] @@ -150,6 +161,7 @@ def get_listen_ips(): ips.append(data['HostIp']) return ips + def setup_logging(): logging.basicConfig(format='%(asctime)s [%(levelname)s]: %(message)s', level=logging.INFO) From 1c29d8e9622e4d0408d5c00147f49d337d376264 Mon Sep 17 00:00:00 2001 From: Joachim Lusiardi Date: Tue, 17 May 2016 22:49:15 +0200 Subject: [PATCH 2/3] Adds validation of proxy_data variable This introduces a check for the value of the PROXY_DATA variables so wrong variables do not crash the proxy. --- README.md | 8 ++++++-- nginx_proxy.py | 13 +++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9915ff9..b3ef98e 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,10 @@ This variable must be of the following format: `PROXY_DATA=server_names:test.com;www.test.com,port:80` +Or written as regex: + +PROXY\_DATA=(KEY:VALUE,)\*KEY:VALUE + The following options are possible: * **server_names**(required) the names of the virtual hosts separated by ";" @@ -30,7 +34,7 @@ Run the container like this: That means that the container exposes all Web Apps on all IPs. Do **not** use the *ip* option from above on the target containers. The *PROXY_DATA* environment variables would be something like -`PROXY_DATA=server_names:cooldomain.test.com,port:8080,location=/webApp` +`PROXY_DATA=server_names:cooldomain.test.com,port:8080,location:/webApp` ### Multiple IPs This option is used if your Docker Host has multiple IPs (perhaps a public IP in the internet and a private IP on a VPN). It is possible to expose some Web Apps only to the private network. @@ -41,6 +45,6 @@ One container must be started for each IP that should host Web Apps. For example If a target container does **not** have the *ip* option set, it listens on **all** IP adresses and will be handled by both containers. If a container uses, e.g., -`PROXY_DATA=server_names:cooldomain.test.com,port:8080,location=/webApp,ip=10.1.2.3` +`PROXY_DATA=server_names:cooldomain.test.com,port:8080,location:/webApp,ip:10.1.2.3` then it will be only available on the private 10.1.2.3 IP (perhaps using a VPN). diff --git a/nginx_proxy.py b/nginx_proxy.py index d64d127..84de4b8 100755 --- a/nginx_proxy.py +++ b/nginx_proxy.py @@ -4,6 +4,7 @@ from docker import Client from docker.errors import APIError from string import Template import json +import re import signal import os import logging @@ -71,6 +72,15 @@ def analyse_proxy_data(data): return proxy_data +def check_proxy_data_format(var_content): + """ + Validates the content of the variable. + :param var_content: content of the proxy data variable + :return: True if the content is of valid format, False otherwise + """ + return re.match(r"^(\w+:[^:,]+,)+\w+:[^:,]+$", var_content) is not None + + def extract_ip(inspect_data): """extracts the container's ip from the given inspect data""" return inspect_data['NetworkSettings']['IPAddress'] @@ -95,6 +105,9 @@ def handle_container(id): inspect_data = client.inspect_container(id) env_vars = analyse_env_vars(inspect_data) if 'PROXY_DATA' in env_vars: + if not check_proxy_data_format(env_vars['PROXY_DATA']): + logging.info('cannot handle container with id "%s" named "%s": %s', id, extract_name(inspect_data), env_vars['PROXY_DATA']) + return proxy_data = analyse_proxy_data(env_vars) container_listen_ip = get_if_available(proxy_data, 'ip', '0.0.0.0') if container_listen_ip != '0.0.0.0' and container_listen_ip not in listen_ips: From ca543dcb5b1b49c6814e9e4c2e3b456e2de161e2 Mon Sep 17 00:00:00 2001 From: Joachim Lusiardi Date: Fri, 30 Dec 2016 14:42:31 +0100 Subject: [PATCH 3/3] fixed handling of X-Forwarded-For, removed X-Real-IP stuff --- nginx_proxy.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nginx_proxy.py b/nginx_proxy.py index 84de4b8..aaafb94 100755 --- a/nginx_proxy.py +++ b/nginx_proxy.py @@ -18,8 +18,9 @@ server { location / { client_max_body_size $body_size; client_body_timeout 300s; - proxy_set_header X-Real-IP $$remote_addr; - proxy_set_header X-Forwarded-For $$remote_addr; + if ($$http_x_forwarded_for = "") { + add_header X-Forwarded-For $$remote_addr; + } proxy_set_header Host $$host; proxy_pass http://$ip:$port/; } @@ -36,8 +37,9 @@ server { location /$location { client_max_body_size $body_size; client_body_timeout 300s; - proxy_set_header X-Real-IP $$remote_addr; - proxy_set_header X-Forwarded-For $$remote_addr; + if ($$http_x_forwarded_for = "") { + add_header X-Forwarded-For $$remote_addr; + } proxy_set_header Host $$host; proxy_pass http://$ip:$port/; }